aHack: automated network auditing

aHack is essentially a re-implementation with permission
of Alec Muffet's AutoHack tool as described in his WAN-hacking with AutoHack paper.

Background

aHack is essentially an engine for doing things to hosts on a network and recording the results. These things range from harmless information gathering to hostile actions such as breaking into systems.

aHack can be a very useful tool for gathering information about large networks, so that questions like how many web servers do we have can be answered.

Actually using aHack to break into systems can also provide valuable information (and motivation to improve security) but should only be done with the full knowledge and consent of the system owners.

Address testing

aHack is designed for probing WANs. It is able to expand a simple IP address specification into all the matching addresses, and test them for validity (can the address be ping'd or does it respond to a UDP echo packet?). Validated addresses are then passed on to the probe engine.

Information probing

The first think aHack does with an address, is a TCP port scan. It then uses snmp, rpcinfo and other harmless probes to gather general information about the address. This information is often all that is wanted, but can be used by the next phase.

Vulnerability probing

It is amazing how many UNIX machines are running software which is years behind the current release. In most cases this means the machines are vulnerable to well known and easily implemented attacks.

aHack is supplied with a collection of "Attack" modules which test for these known vulnerabilities and it is simple to add to the collection.

Exploiting Vulnerabilities

If you have management support, you can let aHack exploit the vulnerabilities it finds to actually break into the system. In all the supplied exploits the goal is to create a harmless file on the system to prove the breach but no more.

Reporting

aHack can produce reports about the systems it has probed. A secure host may show nothing more than the harmless information gathered in the first phase, while an old or insecure system may produce a report like: 
host 192.168.10.2 rex
date Fri Sep 29 17:27:20 EST 1995

192.168.10.2	  *****	  sendmail security hole #1
192.168.10.2	  *****	  direct access as root
192.168.10.2	  *****	  confirm sendmail security hole #2
192.168.10.2	  *****	  confirm sendmail security hole #1
192.168.10.2	  ****	  passwd file available via tftp
192.168.10.2	  ****	  passwd file available via rcmd
192.168.10.2	  ****	  might have sendmail security hole #2
192.168.10.2	  ****	  got 12 passwd entries to crack
192.168.10.2	  ****	  direct access as uucp
192.168.10.2	  ****	  direct access as sys
192.168.10.2	  ****	  direct access as sjg
192.168.10.2	  ****	  direct access as operator
192.168.10.2	  ****	  direct access as nobody
192.168.10.2	  ****	  direct access as games
192.168.10.2	  ****	  direct access as ftp
192.168.10.2	  ****	  direct access as daemon
192.168.10.2	  ****	  direct access as bin
192.168.10.2	  ****	  direct access as adm
192.168.10.2	  ****	  access via telnet as games with NO passwd
192.168.10.2	  *	  version='Sendmail 4.0/SMI-4.0'
192.168.10.2	  *	  uname: SunOS rex 4.0	sun
192.168.10.2	  *	  sendmail='sendmail-5'
192.168.10.2	  *	  info: last probed Thu Sep 28 23:00:20 EST 1995
192.168.10.2	  *	  hostname='rex'
Keep in mind that on most UNIX systems, access as any unprivileged user can quickly be turned into root access.

Availability

aHack is available under license, and is supplied with source code and a useful collection of probe/exploit modules. A porting service is available as is assistance for developing additional probe modules.

POA

Copyright © 1997-2001 Crufty.NET